How the Attack Works
Cybercriminals are exploiting Microsoft’s OAuth device authorization flow to compromise accounts on a large scale. This authentication feature was originally designed for devices with limited input capabilities, such as smart TVs and gaming consoles. Attackers trick victims into visiting a legitimate Microsoft page and entering a code provided through phishing emails, PDF attachments, or QR codes. The Microsoft system processes this as normal authentication, allowing attackers to steal authentication tokens without triggering suspicious login prompts.
Once a victim enters the device code within its 15 minute expiration window, threat actors gain immediate access to the account. The stolen tokens provide persistent access that remains valid even if the victim later changes their password. This approach allows attackers to operate entirely through legitimate Microsoft infrastructure, making it extremely difficult for traditional security tools to detect the malicious activity.
Impact and Scope
Security researchers at Proofpoint identified hundreds of device code phishing campaigns targeting organizations across multiple industries since late 2024. The attacks have surged dramatically, representing a major evolution in identity takeover techniques. Criminals have increasingly abandoned traditional credential harvesting pages in favor of this method for campaigns ranging from business email compromise to corporate espionage.
The technique exploits implicit trust in official Microsoft services. Victims unknowingly grant full access to their accounts without ever seeing a suspicious login interface. Security teams remain unprepared for attacks that bypass conventional detection mechanisms entirely.
Source: Cyber Security News
